No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

HUAWEI Firewall Comprehensive Configuration Examples

This document describes the application scenarios and configuration methods in typical projects of the firewall.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuration Procedure

Configuration Procedure

Procedure

  1. Configure IP addresses for interfaces and assign the interfaces to security zones.

    # # Configure IP addresses for the interfaces of FW-3.

    <sysname> system-view
    [sysname] sysname FW-3
    [FW-3] interface GigabitEthernet 1/0/1
    [FW-3-GigabitEthernet1/0/1] description SACG1_To_Coreswitch1_GE1/1/0/3
    [FW-3-GigabitEthernet1/0/1] ip address 10.4.1.2 29
    [FW-3-GigabitEthernet1/0/1] quit
    [FW-3] interface GigabitEthernet 1/0/2
    [FW-3-GigabitEthernet1/0/2] description SACG1_To_Coreswitch1_GE1/1/0/4
    [FW-3-GigabitEthernet1/0/2] ip address 10.5.1.2 29
    [FW-3-GigabitEthernet1/0/2] quit
    [FW-3] interface GigabitEthernet 1/0/3
    [FW-3-GigabitEthernet1/0/3] description hrp_interface
    [FW-3-GigabitEthernet1/0/3] ip address 10.10.10.1 24
    [FW-3-GigabitEthernet1/0/3] quit

    # # Configure IP addresses for the interfaces of FW-4.

    <sysname> system-view
    [sysname] sysname FW-4
    [FW-4] interface GigabitEthernet 1/0/1
    [FW-4-GigabitEthernet1/0/1] description SACG2_To_Coreswitch2_GE2/1/0/3
    [FW-4-GigabitEthernet1/0/1] ip address 10.4.1.3 29
    [FW-4-GigabitEthernet1/0/1] quit
    [FW-4] interface GigabitEthernet 1/0/2
    [FW-4-GigabitEthernet1/0/2] description SACG2_To_Coreswitch2_GE2/1/0/4
    [FW-4-GigabitEthernet1/0/2] ip address 10.5.1.3 29
    [FW-4-GigabitEthernet1/0/2] quit
    [FW-4] interface GigabitEthernet 1/0/3
    [FW-4-GigabitEthernet1/0/3] description hrp_interface
    [FW-4-GigabitEthernet1/0/3] ip address 10.10.10.2 24
    [FW-4-GigabitEthernet1/0/3] quit

    # Assign the interfaces of FW-3 to appropriate security zones.

    [FW-3] firewall zone trust
    [FW-3-zone-trust] add interface GigabitEthernet 1/0/1
    [FW-3-zone-trust] quit
    [FW-3] firewall zone untrust
    [FW-3-zone-untrust] add interface GigabitEthernet 1/0/2
    [FW-3-zone-untrust] quit
    [FW-3] firewall zone dmz
    [FW-3-zone-dmz] add interface GigabitEthernet 1/0/3
    [FW-3-zone-dmz] quit
    

    # Assign the interfaces of FW-4 to appropriate security zones.

    [FW-4] firewall zone trust
    [FW-4-zone-trust] add interface GigabitEthernet 1/0/1
    [FW-4-zone-trust] quit
    [FW-4] firewall zone untrust
    [FW-4-zone-untrust] add interface GigabitEthernet 1/0/2
    [FW-4-zone-untrust] quit
    [FW-4] firewall zone dmz
    [FW-4-zone-dmz] add interface GigabitEthernet 1/0/3
    [FW-4-zone-dmz] quit
    

  2. Configure static routes.

    # On FW-3, configure a static route to guide traffic back to the core switch.

    [FW-3] ip route-static 0.0.0.0 0.0.0.0 10.4.1.4

    # On FW-4, configure a static route to guide traffic back to the core switch.

    [FW-4] ip route-static 0.0.0.0 0.0.0.0 10.4.1.4

  3. Configure link-group.

    # On FW-3, configure link-group 1 and add upstream and downstream service interfaces to the link-group.

    [FW-3] interface GigabitEthernet 1/0/1
    [FW-3-GigabitEthernet1/0/1] link-group 1
    [FW-3-GigabitEthernet1/0/1] quit
    [FW-3] interface GigabitEthernet 1/0/2
    [FW-3-GigabitEthernet1/0/2] link-group 1
    [FW-3-GigabitEthernet1/0/2] quit
    

    # On FW-4, configure link-group 1 and add upstream and downstream service interfaces to the link-group.

    [FW-4] interface GigabitEthernet 1/0/1
    [FW-4-GigabitEthernet1/0/1] link-group 1
    [FW-4-GigabitEthernet1/0/1] quit
    [FW-4] interface GigabitEthernet 1/0/2
    [FW-4-GigabitEthernet1/0/2] link-group 1
    [FW-4-GigabitEthernet1/0/2] quit
    

  4. Configure hot standby.

    # Configure VRRP group 1 on the upstream interface GE1/0/1 of FW-3, setting its state to Active.

    [FW-3] interface GigabitEthernet 1/0/1
    [FW-3-GigabitEthernet1/0/1] vrrp vrid 1 virtual-ip 10.4.1.1 active
    [FW-3-GigabitEthernet1/0/1] quit

    # Configure VRRP group 2 on the downstream interface GE1/0/2 of FW-3, setting its state to Active.

    [FW-3] interface GigabitEthernet 1/0/2
    [FW-3-GigabitEthernet1/0/2] vrrp vrid 2 virtual-ip 10.5.1.1 active
    [FW-3-GigabitEthernet1/0/2] quit

    # Designate GE1/0/3 as the heartbeat interface of FW-3, and enable hot standby.

    [FW-3] hrp interface GigabitEthernet 1/0/3 remote 10.10.10.2
    [FW-3] hrp enable

    # Configure VRRP group 1 on the upstream interface GE1/0/1 of FW-4, setting its state to Active.

    [FW-4] interface GigabitEthernet 1/0/1
    [FW-4-GigabitEthernet1/0/1] vrrp vrid 1 virtual-ip 10.4.1.1 standby
    [FW-4-GigabitEthernet1/0/1] quit

    # Configure VRRP group 2 on the downstream interface GE1/0/2 of FW-4, setting its state to Active.

    [FW-4] interface GigabitEthernet 1/0/2
    [FW-4-GigabitEthernet1/0/2] vrrp vrid 2 virtual-ip 10.5.1.1 standby
    [FW-4-GigabitEthernet1/0/2] quit

    # Designate GE1/0/3 as the heartbeat interface of FW-4, and enable hot standby.

    [FW-4] hrp interface GigabitEthernet 1/0/3 remote 10.10.10.1
    [FW-4] hrp enable
    NOTE:
    After hot standby is configured, you only need to configure security policies and SACG on the active device FW-3. The configuration on FW-3 is automatically backed up on FW-4.

  5. Disable the stateful inspection function.

    HRP_M[FW-3] undo firewall session link-state check

  6. Configure security policies.

    # Configure a Local-Trust security policy to allow the communication between the FW and Service Controller.

    HRP_M[FW-3] security-policy
    HRP_M[FW-3-security-policy] rule name sc_to_sacg
    HRP_M[FW-3-security-policy-sc_to_sacg] source-zone trust local
    HRP_M[FW-3-security-policy-sc_to_sacg] destination-zone local trust
    HRP_M[FW-3-security-policy-sc_to_sacg] action permit
    HRP_M[FW-3-security-policy-sc_to_sacg] quit
    

    # Configure the policy for the Local-Trust interzone. In this way, the FW can push the web-based authentication page to the user.

    HRP_M[FW-3-security-policy] rule name sacg_to_client
    HRP_M[FW-3-security-policy-sacg_to_client] source-zone local
    HRP_M[FW-3-security-policy-sacg_to_client] destination-zone untrust
    HRP_M[FW-3-security-policy-sacg_to_client] action permit
    HRP_M[FW-3-security-policy-sacg_to_client] quit
    HRP_M[FW-3-security-policy] quit
    

  7. Configure the interworking with the Agile Controller.

    # Enter the view of configuring the FW to interwork with the Agile Controller, and specify the number of the default ACL rule group.

    NOTE:

    If ACLs 3099 to 3999 are in use, delete them before configuring the interworking with the Agile Controller. Otherwise, conflicts occur when the FW generates ACL rules.

    HRP_M[FW-3] right-manager server-group
    HRP_M[FW-3-rightm] default acl 3099

    # Add the Service Controller to the FW. Then the FW can interwork with the Service Controller. Because two Service Controllers are deployed, you must run the server ip command twice to add the two Service Controllers.

    NOTE:

    The port and shared key in the server ip command must be the same as those on the Service Controller. Otherwise, the FW cannot interwork with the Service Controller, and the SACG interworking function is unavailable.

    HRP_M[FW-3-rightm] server ip 192.168.1.2 port 3288 shared-key TSM_Security
    HRP_M[FW-3-rightm] server ip 192.168.1.3 port 3288 shared-key TSM_Security

    # Configure Web authentication. If an unauthenticated terminal user attempts to access the network, the FW automatically pushes the Web authentication page to the terminal user. Therefore, the terminal user can be authenticated on the web page.

    HRP_M[FW-3-rightm] right-manager authentication url http://192.168.1.2:8084/auth
    HRP_M[FW-3-rightm] right-manager authentication url http://192.168.1.3:8084/auth

    # Configure the local IP address used by the FW for communicating with the Service Controller.

    NOTE:
    The configuration cannot be backed up. You must configure it on both FWs. Set the IP address of the standby FW to 10.4.1.3.
    HRP_M[FW-3-rightm] local ip 10.4.1.2

    # Enable the server group so that the FW connects to the Service Controller immediately and sends the interworking request. After the connection succeeds, the FW can receive the roles and rules delivered by the Agile Controller.

    HRP_M[FW-3-rightm] right-manager server-group enable

    # Configure an emergency channel, and set the minimum number of Service Controllers to 1. In doing so, when at least one Service Controller connects to the FW successfully, the FW implements Agile Controller detection normally. If the FW cannot connect to any Service Controller, the FW enables the emergency channel to allow all users to access the controlled network. As a result, terminal users can access the network even if the Service Controller fails.

    HRP_M[FW-3-rightm] right-manager server-group active-minimum 1
    HRP_M[FW-3-rightm] right-manager status-detect enable
    HRP_M[FW-3-rightm] quit

    # Apply ACL 3099 to the outbound direction of Trust-Untrust interzone. Then terminal users can communicate with the server in the pre-authentication domain normally, and the permit rule of the emergency channel can be correctly delivered to the Trust-Untrust interzone.

    HRP_M[FW-3] firewall interzone trust untrust
    HRP_M[FW-3-interzone-trust-untrust] apply packet-filter right-manager inbound
    HRP_M[FW-3-interzone-trust-untrust] quit

  8. Configure the core switches. This part uses the CE12800 as an example to describe the configuration for interworking between the switch and FW.

    # Configure the interfaces and VLANs of core switches.

    [~CSS] vlan batch 101 to 102         
    [*CSS] interface gigabitethernet 1/1/0/3                
    [*CSS-GigabitEthernet1/1/0/3] description To_SACG1_GE1/0/1
    [*CSS-GigabitEthernet1/1/0/3] port link-type access                      
    [*CSS-GigabitEthernet1/1/0/3] port default vlan 101  
    [*CSS-GigabitEthernet1/1/0/3] quit         
    [*CSS] interface gigabitethernet 1/1/0/4                
    [*CSS-GigabitEthernet1/1/0/4] description To_SACG1_GE1/0/2
    [*CSS-GigabitEthernet1/1/0/4] port link-type access                      
    [*CSS-GigabitEthernet1/1/0/4] port default vlan 102  
    [*CSS-GigabitEthernet1/1/0/4] quit    
    [*CSS] interface gigabitethernet 2/1/0/3                
    [*CSS-GigabitEthernet2/1/0/3] description To_SACG2_GE1/0/1
    [*CSS-GigabitEthernet2/1/0/3] port link-type access                      
    [*CSS-GigabitEthernet2/1/0/3] port default vlan 101  
    [*CSS-GigabitEthernet2/1/0/3] quit         
    [*CSS] interface gigabitethernet 2/1/0/4                
    [*CSS-GigabitEthernet2/1/0/4] description To_SACG2_GE1/0/2
    [*CSS-GigabitEthernet2/1/0/4] port link-type access                      
    [*CSS-GigabitEthernet2/1/0/4] port default vlan 102  
    [*CSS-GigabitEthernet2/1/0/4] quit    
    [*CSS] interface vlanif 101
    [*CSS-Vlanif101] ip address 10.4.1.4 29
    [*CSS-Vlanif101] quit                      
    [*CSS] interface vlanif 102
    [*CSS-Vlanif102] ip address 10.5.1.4 29
    [*CSS-Vlanif102] quit  
    [*CSS] commit                     
    

    # Configure PBR.

    [~CSS] acl 3001  
    [*CSS-acl4-advance-3001] rule 5 permit ip source 10.8.1.0 24  
    [*CSS-acl4-advance-3001] quit
    [~CSS] traffic classifier c1  
    [*CSS-classifier-c1] if-match acl 3001  
    [*CSS-classifier-c1] quit
    [~CSS] traffic behavior b1  
    [*CSS-behavior-b1] redirect nexthop 10.5.1.1  
    [*CSS-behavior-b1] quit
    [~CSS] traffic policy p1  
    [*CSS-trafficpolicy-p1] classifier c1 behavior b1 precedence 5  
    [*CSS-trafficpolicy-p1] quit
    [~CSS] interface eth-trunk 2  //Eth-Trunk 2 connects the core switch to branch 1.
    [*CSS-Eth-Trunk2] traffic-policy p1 inbound 
    [*CSS-Eth-Trunk2] quit
    [*CSS] commit 

  9. Configure the Agile Controller.
    1. Configure the firewall to function as the hardware SACG.

      1. Choose Policy > Permission Control > Hardware SACG > Hardware SACG Config.
      2. Click Add on the Hardware SACG tab.

        NOTE:

        If NAT is configured to implement address translation between end users and the SC, set the IP address range (Start IP Address and End IP Address) to the range of translated IP addresses for end users but not the real IP addresses of terminals. Otherwise, end users cannot go online on the SACG.

    2. Configure the pre-authentication domain, isolation domain, and post-authentication domain.

      1. Click Add on the Pre-Authentication Domain tab.

        Add the IP addresses of the other servers in the pre-authentication to the pre-authentication domain.

      2. Click Add on the Controlled Domain tab to add the isolation domain resources to a protected domain.

        Repeat the preceding step to add the post-authentication resources to the protected domain.

      3. Click Add on the Isolation Domain tab to set the resource that end users can access.

      4. Click Add on the Post-Authentication Domain tab to set the post-authentication resource that end users can access only in working hours, that is the post_work resource.

        Add the resource that end users cannot access in non-working hours to the post-authentication domain according to the preceding steps.

    3. Configure and apply an SACG policy group to an account/user group or IP address segment.

      1. Configure a time segment to allow employees to access the service system only in working hours.
        1. Choose Policy > Permission Control > Policy Element > Schedule.
        2. Click Add.

        3. Click OK.
      2. Configure an SACG policy group.
        1. Choose Policy > Permission Control > Hardware SACG > Hardware SACG Policy Group.
        2. Click Add.

        3. Click OK.
      3. Apply the SACG policy group to an account/user group or IP address segment. In this example, the SACG policy group is applied to a user group.
        NOTE:

        The SACG policy group is applied to an account, departmentuser group, and IP address segment in descending order of matched priorities.

        Click next to SACG policy to apply the SACG policy to the specified user group.

Translation
Download
Updated: 2019-01-26

Document ID: EDOC1100062972

Views: 18598

Downloads: 773

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next